chore: generate secrets for macos signing service

eclipse-cbi · netomi · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024
commit 6db41a3e01be7ef3b40d00d9f13c6142e89e8b36
diff --git a/webservice/signing/keychain.sh b/webservice/signing/keychain.sh
@@ -0,0 +1,55 @@
+#! /usr/bin/env bash
+#*******************************************************************************
+# Copyright (c) 2020 Eclipse Foundation and others.
+# This program and the accompanying materials are made available
+# under the terms of the Eclipse Public License 2.0
+# which is available at http://www.eclipse.org/legal/epl-v20.html
+# SPDX-License-Identifier: EPL-2.0
+#*******************************************************************************
+
+# Bash strict-mode
+set -o errexit
+set -o nounset
+set -o pipefail
+
+IFS=$'\n\t'
+
+# Json that will be used for finding keystore metadata can either be passed to stdin or
+# as the file path in $1
+JSON_FILE="${1:-"/dev/stdin"}"
+SERVICE_JSON=$(<"${JSON_FILE}")
+
+KUBECTL_OPT=()
+TEMP_FILES=()
+
+for ENTRY in $(jq -r '.keystore.entries | map(tostring) | join("\n")' <<<"${SERVICE_JSON}"); do
+  ENTRY_NAME="$(jq -r '.name' <<<"${ENTRY}")"
+
+  echo "INFO: Processing keychain '${ENTRY_NAME}'"
+
+  KEYCHAIN_FILE="$(mktemp)"
+  PASSWD_FILE="$(mktemp)"
+
+  TEMP_FILES+=(${KEYCHAIN_FILE} ${PASSWD_FILE})
+
+  pass $(jq -r '.keychain.pass' <<<"${ENTRY}") >> "${KEYCHAIN_FILE}"
+  pass $(jq -r '.password.pass' <<<"${ENTRY}") >> "${PASSWD_FILE}"
+
+  KEYCHAIN_FILENAME=$(jq -r '.keychain.filename' <<<"${ENTRY}")
+  PASSWD_FILENAME=$(jq -r '.password.filename' <<<"${ENTRY}")
+
+  KUBECTL_OPT+=("--from-file=${KEYCHAIN_FILENAME}=${KEYCHAIN_FILE}")
+  KUBECTL_OPT+=("--from-file=${PASSWD_FILENAME}=${PASSWD_FILE}")
+done
+
+# apply keystore to the cluster
+kubectl create secret generic "$(jq -r '.keystore.secretName' <<<"${SERVICE_JSON}")" \
+  --namespace "$(jq -r '.kube.namespace' <<<"${SERVICE_JSON}")" \
+  "${KUBECTL_OPT[@]}" \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+for TMP_FILE in "${TEMP_FILES[@]}"
+do
+  # echo "Deleting temp file: ${TMP_FILE}"
+  rm -f "${TMP_FILE}"
+done
diff --git a/webservice/signing/macosx/service.jsonnet b/webservice/signing/macosx/service.jsonnet
@@ -14,6 +14,30 @@ deployment.newDeployment("macosx-signing", std.extVar("artifactId"), std.extVar(
     path: "/var/run/secrets/%s/" % $.kube.serviceName,
     volumeName: "keystore",
     secretName: "%s-keystore" % $.kube.serviceName,
+    entries: [
+      {
+        name: "Application Certificate",
+        keychain: {
+          pass: "IT/CBI/PKI/mac.developer@eclipse.org/Eclipse Foundation, Inc./application-keychain.p12",
+          filename: "application-keychain.p12",
+        },
+        password: {
+          pass: "IT/CBI/PKI/mac.developer@eclipse.org/Eclipse Foundation, Inc./application-keychain.passphrase",
+          filename: "application-keychain.passphrase",
+        },
+      },
+      {
+        name: "Installer Certificate",
+        keychain: {
+          pass: "IT/CBI/PKI/mac.developer@eclipse.org/Eclipse Foundation, Inc./application-keychain.p12",
+          filename: "installer-keychain.p12",
+        },
+        password: {
+          pass: "IT/CBI/PKI/mac.developer@eclipse.org/Eclipse Foundation, Inc./application-keychain.passphrase",
+          filename: "installer-keychain.passphrase",
+        },
+      },
+    ],
   },
 
   kube+: {
@@ -53,7 +77,7 @@ deployment.newDeployment("macosx-signing", std.extVar("artifactId"), std.extVar(
 
   Dockerfile: super.Dockerfile + |||
     RUN cd /usr/local/bin \
-      && curl -L -o codesign.tar.gz 'https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.27.0/apple-codesign-0.27.0-x86_64-unknown-linux-musl.tar.gz' \
+      && curl -L -o codesign.tar.gz 'https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%%2F0.27.0/apple-codesign-0.27.0-x86_64-unknown-linux-musl.tar.gz' \
       && tar xzf codesign.tar.gz --strip-components=1 \
       && rm -f codesign.tar.gz
   ||| % $,
@@ -152,10 +176,10 @@ deployment.newDeployment("macosx-signing", std.extVar("artifactId"), std.extVar(
       log4j.appender.access-log.layout=org.apache.log4j.PatternLayout
       log4j.appender.access-log.layout.ConversionPattern=%%m%%n
     ||| % $ {
-      credentialsFile: "%s/%s" % [ $.keystore.path, $.keystore.password.filename ],
-      certChainFile: "%s/%s" % [ $.keystore.path, $.keystore.filename ],
-      keyRing: $.keystore.keyRing,
-      defaultKey: $.keystore.defaultAlias,
+      applicationKeychain: "%s/%s" % [ $.keystore.path, $.keystore.entries[0].keychain.filename ],
+      applicationPasswordFile: "%s/%s" % [ $.keystore.path, $.keystore.entries[0].password.filename ],
+      installerKeychain: "%s/%s" % [ $.keystore.path, $.keystore.entries[1].keychain.filename ],
+      installerPasswordFile: "%s/%s" % [ $.keystore.path, $.keystore.entries[1].password.filename ],
     },
   },
 }